What does the GDPR say?
Personal data is defined in the GDPR as:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
This means personal data has to be information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.
The GDPR covers the processing of personal data in two ways:
- personal data processed wholly or partly by automated means (that is, information in electronic form); and
- personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).
In most circumstances, it will be relatively straightforward to determine whether the information you process ‘relates to’ an ‘identified’ or an ‘identifiable’ individual. In others, it may be less clear and you will need to carefully consider the information you hold to determine whether it is personal data and whether the GDPR applies.
This guidance will explain the factors that you should consider to determine whether you are processing personal data. These are:
- identifiability and related factors;
- whether someone is directly identifiable;
- whether someone is indirectly identifiable;
- the meaning of ‘relates to’; and
- when different organisations are using the same data for different purposes.
Are there categories of personal data?
Some of the personal data you process can be more sensitive in nature and therefore requires a higher level of protection. The GDPR refers to the processing of these data as ‘special categories of personal data’. This means personal data about an individual’s:
- ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where this is used for identification purposes);
- health data;
- sex life; or
- sexual orientation.
Personal data can include information relating to criminal convictions and offences. This also requires a higher level of protection.
What about unstructured paper records?
The GDPR does not cover information which is not, or is not intended to be, part of a ‘filing system’. However, under the Data Protection Act 2018 (DPA 2018) unstructured manual information processed only by public authorities constitutes personal data. This includes paper records that are not held as part of a filing system. While such information is personal data under the DPA 2018, it is exempted from most of the principles and obligations in the GDPR and is aimed at ensuring that it is appropriately protected for requests under the Freedom of Information Act 2000.
We intend to publish further guidance on the provisions of the DPA 2018 in due course.
Is pseudonymised data still personal data?
Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual.
The GDPR defines pseudonymisation as:
“…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
Pseudonymisation may involve replacing names or other identifiers which are easily attributed to individuals with, for example, a reference number. Whilst you can tie that reference number back to the individual if you have access to the relevant information, you put technical and organisational measures in place to ensure that this additional information is held separately.
Pseudonymising personal data can reduce the risks to the data subjects and help you meet your data protection obligations.
However, pseudonymisation is effectively only a security measure. It does not change the status of the data as personal data. Recital 26 makes it clear that pseudonymised personal data remains personal data and within the scope of the GDPR.
“…Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…”
A courier firm processes personal data about its drivers’ mileage, journeys and driving frequency. It holds this personal data for two purposes:
- to process expenses claims for mileage; and
- to charge their customers for the service.
For both of these, identifying the individual couriers is crucial.
However, a second team within the organisation also uses the data to optimise the efficiency of the courier fleet. For this, the identification of the individual is unnecessary.
Therefore, the firm ensures that the second team can only access the data in a form that makes it not possible to identify the individual couriers. It pseudonymises this data by replacing identifiers (names, job titles, location data and driving history) with a non-identifying equivalent such as a reference number which, on its own, has no meaning.
The members of this second team can only access this pseudonymised information.
Whilst the second team cannot identify any individual, the organisation itself can, as the controller, link that material back to the identified individuals.
This represents good practice under the GDPR.
What about anonymised data?
The GDPR does not apply to personal data that has been anonymised. Recital 26 explains that:
“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”
This means that personal data that has been anonymised is not subject to the GDPR. Anonymisation can therefore be a method of limiting your risk and a benefit to data subjects too. Anonymising data wherever possible is therefore encouraged.
However, you should exercise caution when attempting to anonymise personal data. Organisations frequently refer to personal data sets as having been ‘anonymised’ when, in fact, this is not the case. You should therefore ensure that any treatments or approaches you take truly anonymise personal data. There is a clear risk that you may disregard the terms of the GDPR in the mistaken belief that you are not processing personal data.
In order to be truly anonymised under the GDPR, you must strip personal data of sufficient elements that mean the individual can no longer be identified. However, if you could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised. This means that despite your attempt at anonymisation you will continue to be processing personal data.
You should also note that when you do anonymise personal data, you are still processing the data at that point.
In more detail – ICO guidance
We are working to update existing Data Protection Act 1998 guidance to reflect GDPR provisions. In the meantime, existing guidance on anonymisation is a good starting point.
Is information about deceased individuals personal data?
The GDPR only applies to information which relates to an identifiable living individual. Information relating to a deceased person does not constitute personal data and therefore is not subject to the GDPR.
What about information about companies?
Information concerning a ‘legal’ rather than a ‘natural’ person is not personal data. Consequently, information about a limited company or another legal entity, which might have a legal personality separate to its owners or directors, does not constitute personal data and does not fall within the scope of the GDPR. Similarly, information about a public authority is not personal data.
However, the GDPR does apply to personal data relating to individuals acting as sole traders, employees, partners, and company directors wherever they are individually identifiable and the information relates to them as an individual rather than as the representative of a legal person. A name and a corporate email address clearly relates to a particular individual and is therefore personal data. However, the content of any email using those details will not automatically be personal data unless it includes information which reveals something about that individual, or has an impact on them (see the chapters on the meaning of ‘relates to’ and indirectly identifying individuals, below).
We are working to update existing Data Protection Act 1998 guidance to reflect GDPR provisions. In the meantime, this existing guidance on anonymisation is a good starting point.